Measuring security

Enterprises are increasingly looking to measure security spend to ensure return on investment (ROI). This raises a number of awkward questions. Abe Kleinfeld, president and CEO of security vendor nCircle has the answers.

|~||~||~|With cyber attacks continuing to make headlines, companies have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. IDC predicts that IT security spending will grow 6% in 2005 over a 5% growth in 2004. It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending. Their tolerance for technospeak such as distributed denial of service attacks and buffer overruns is rapidly decreasing. Their expectation that shareholders receive value from their security spending, on the other hand, is increasing. In this environment, IT security teams are starting to feel pressure to demonstrate the effectiveness of their efforts. Few IT categories have evolved as quickly as security. Less than a decade ago, IT security was of limited concern. Business applications were developed for in-house use. Networks were private and built around proprietary protocols. Then seemingly overnight, applications were turned inside out. Internal banking applications became online banking. In-house order entry systems became online shopping. Private networks gave way to the internet for all communication and information sharing. Worms and viruses became the norm and costs from security-related business interruption skyrocketed. Security had to evolve quickly. In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do. As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products. Companies today are increasingly confused about how much to spend on IT security and what to spend it on. In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information. They were designed to be simple to use and deployed to accommodate IT security organisations’ limited headcount but increasing capital budgets. Now executives want to see results from all this security spending. Are IT security teams equipped to think about results when they can barely keep up with the administration and information overload from all those products they acquired? And what about all the additional products they still need? Are they even equipped to communicate with senior executives used to dealing with financial measures such as revenues, market share, margins, inventory and ROI? Senior executives manage to tried and true principles. The most effective is the ‘measure and manage’ principle. Executives set goals based on identified metrics, and then measure and manage to the established goal. Often the goal is to attain a desired return on investment. That’s fine for many business functions, but falls short for some, particularly IT security. ROI is great when the goal is to increase revenues or reduce costs. But IT security doesn’t increase revenues or reduce costs. Security doesn’t have a measurable ROI. When it fails, there’s loss. When it works perfectly, there’s cost and how do you measure a loss that never happened? So how do you demonstrate results from IT security? It turns out to be simpler than one would think, particularly when the problem is reduced to its fundamental components. When all the technology talk is set aside, the goal of IT security can be simply stated as minimising risk at the lowest possible cost. Getting to a results-driven model of IT security will require organisations to re-prioritise their efforts and budgets, around showing a measurable and objective risk metric for their information systems and networks. Objective metrics must be tracked over time against measurable goals. Organisations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year. And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend. IT security budgets will be justified and effectiveness will be measured by the company’s acceptable risk tolerances. Lets face it, the risk of a security breach will always be present. But should such an event occur, organisations will have clearly documented processes and metrics that prove a standard of due care was in place. And should it prove inadequate over time, the acceptable tolerances can be tightened in measurable ways and at measurable costs, and communicated in a manner that business executives understand. Measuring costs are easy, so let’s focus on measuring risk. There are no industry-standard measures for security risk, but there’s no reason to wait for standards. What’s important is that every company develops its own objective risk measure. For example, advanced vulnerability and risk management systems can continuously identify and profile assets on objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk score for each device. These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways. The scores should be influenced by company-defined asset values (for example, a desktop computer will have lower asset value than a securities trading system). The risk score can be further influenced by countermeasures that are in place for each asset (countermeasures might be additional layers of security such as IDS/IPS, firewalls or antivirus products). And finally, the risk measure should be influenced by the current threat environment that exists in the wild. Having an objective IT risk measure is the key first step. Once an enterprise puts the systems and processes in place to measure and report on risk, then setting goals and managing them takes over. This means knowing how to prioritise risk reduction efforts. There are countless risks and vulnerabilities in an IT infrastructure. Addressing the highest priorities is critical to enabling maximum risk reduction at the lowest possible cost. When a security team shows up for work, they need to know the top five or ten tasks they can complete that day to reduce risk the most. By mining the security intelligence collected by the vulnerability and risk management system, including asset values, network topology and security policy information, organisations can quickly identify and prioritise the highest risks to a network. Security budgets are reaching a level where they must be justified. Shifting the focus away from simply buying technology to applying common sense business management principles will ensure that companies spend wisely, manage prudently and deliver the most value to their organisations while protecting their critical information investments.||**||